Upgrade or die: Old vulnerabilities are prime targets

By William Jackson

Sep 11, 2012

Anyone who remembers life before the Graphic User Interface can tell you that the older a system is the more vulnerable it becomes to infections, breakdowns and abuses of all kinds. Now, researchers at Fortinet have confirmed what you probably already suspect: The longer a vulnerability has been around the more likely it is to be exploited, and replacing unsupported legacy software is a good idea.

A recent white paper by security strategist Derek Manky examines attack patterns over the last 13 years and finds that despite a growing number of vulnerabilities being discovered over time, it is the older flaws that are the most popular targets.

Vulnerabilities that have been discovered since 2010 are barely being touched — fewer than half a million attacks a year — while 2003 apparently was a vintage year; there have been nearly 48 million attacks against vulnerabilities that were discovered then.

Overall, Windows XP is far and away the most popular target, with Vista coming in second. Windows 7 has barely been scratched.

Part of this is because of better software design, Manky wrote. It is harder to get a working rootkit for Windows 7 because it is better protected. It also is partly a matter of time. “The older the vulnerability, the more time there is for hackers to obtain the necessary code in order to create and execute successful attacks against users,” he wrote. Piracy also contributes to the problem, since unauthorized installations are not supported.

But mainly it is a result of a lack of adequate patch management, because these are all known vulnerabilities with fixes available. With the approaching end of life for the beloved XP, patching and updating will become more problematic. And with the imminent release of Windows 8, administrators are going to have to decide soon about upgrading to the newest — or at least a newer — version of the operating system.